Threats Tagged 'npm supply chain'

Microsoft Threat Intelligence identified an active supply chain attack involving malicious npm packages that employ dependency confusion techniques. Between May 28-29, 2026, a threat actor using three maintainer aliases published malicious packages across nine organizational scopes that mirror real corporate namespaces. The packages execute obfuscated reconnaissance payloads through npm lifecycle hooks, collecting system information, environment variables, and developer credentials. All packages connect to the same command-and-control server and deploy a 17KB JavaScript dropper designed for environment fingerprinting. The campaign includes platform-specific payloads for Windows, macOS, and Linux, with CI/CD detection bypass capabilities. The architecture operates in reconnaissance-only mode but supports server-side toggling for full exploitation. Forensic analysis indicates all three accounts are operated by a single individual, evidenced by shared C2 infrastructure, identical hardcoded authentication toke...

On April 10, 2026, a malicious npm package named sleek-pretty@1.0.0 was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.